GoBruteforcer Botnet Targets Crypto Databases via Weak Credentials

A new wave of GoBruteforcer (GoBrut) attacks is targeting cryptocurrency and blockchain project databases, exploiting weak or default credentials to expand its botnet and brute‑force services like FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers.

Key Drivers of the Campaign

• AI-generated deployment examples: Many tutorials and LLM‑produced code snippets reuse common usernames and weak defaults (e.g., myuser:Abcd@123, appeaser:admin123456).
• Legacy stacks: Outdated platforms like XAMPP expose FTP and admin interfaces with minimal hardening.
• Credential rotation: Attackers refresh username/password pools weekly, mixing in crypto‑focused names (cryptouser, crypto_app) and phpMyAdmin defaults (root, wordpress, wpuser).

Attack Flow

1. Initial access: Internet‑exposed FTP services on XAMPP servers are brute‑forced.
2. Web shell upload: Attackers drop a PHP shell to gain remote control.
3. Bot deployment: Shell downloads an updated IRC bot tailored to system architecture.
4. Host roles:
   • Run brute‑force modules against FTP/MySQL/Postgres/phpMyAdmin.
   • Serve payloads to other compromised systems.
   • Act as IRC‑style C2 or backup infrastructure.

Advanced Capabilities

• Obfuscated IRC bot (mid‑2025): Rewritten in Golang with persistence, process masking, and dynamic credential lists.
• TRON blockchain targeting: Compromised hosts query balances via tronscanapi[.]com to identify accounts with non‑zero funds.
• SystemBC overlap: Some bots also linked to the SystemBC malware family, showing cross‑botnet integration.

Broader Context

• GreyNoise findings: Threat actors are scanning for misconfigured proxy servers that expose LLM services.
• Two campaigns observed:
  • SSRF exploitation: Targeting Ollama’s model pull and Twilio SMS webhooks (Oct 2025–Jan 2026).
  • LLM endpoint enumeration: From Dec 28, 2025, two IPs probed 73+ endpoints (Alibaba, Anthropic, DeepSeek, Google, Meta, Mistral, OpenAI, xAI), generating 80,469 sessions in 11 days.

Defensive Recommendations

• Credential hygiene:
  • Avoid default usernames/passwords in deployments.
  • Rotate credentials regularly and enforce strong complexity.
• Infrastructure hardening:
  • Disable unused FTP/admin interfaces.
  • Patch legacy stacks like XAMPP or migrate to hardened alternatives.
• Monitoring:
  • Watch for brute‑force attempts and anomalous IRC traffic.
  • Audit blockchain‑related servers for suspicious queries.
• LLM security:
  • Secure proxy configurations.
  • Monitor for SSRF attempts and unusual API traffic.

Takeaway

GoBruteforcer exemplifies how weak defaults + exposed infrastructure + automated tools create fertile ground for botnet expansion. By targeting crypto projects and leveraging blockchain queries, attackers are aligning brute‑force campaigns with financial gain. The parallel surge in LLM endpoint scanning shows adversaries are also probing AI ecosystems for misconfigurations, widening the attack surface for 2026.